Wired Intelligent Edge

Can we use VRRP over VxLAN to backup the SVI's and also for load sharing (reversed vrrp groups..)  ?

General Info:

* on one side we will have 2x6400 working in VSX . 

and second pair on the far end of VSX . 

*There will be a L3 line between the sites. 

Right now, VXLAN is only recommended to be used within a site.

We are trying to validate long distance VXLAN to be used between sites in a future software release.

Hello DWan,

since you are an aruba employee, can you answer if VRRP over VXLAN is actually supported? I am doing a similar setup where I want to use 4x aruba 6300 switches with EVPN / MP-BGP non-stacked to use VXLAN and all of them with vlan interfaces and vrrp over the VLAN interfaces for high availability.

Currently with ArubaOS-CX software version 10.04.1000 as soon as I enable vrrp on the interface vlan the VNI starts flapping, tearing down and up the vxlan vni every some milliseconds. If I remove the vrrp configuration everything works including interface vlan connectivity. When downgrading one switch again to Version 10.04.0003 the setup starts working again (without any configuration change).

So uhm... is this just coincidentally working with VRRP over a vlan interface or should it work and is actually supported?

Without VRRP the only suitable highly available configuration for end devices would be an IPv6 setup with router advertisements from all four 6300 switches and the client is responsible to automatically pick a gateway and change the gateway upon failure.

Another question to that is - will Anycast Gateways for EVPN VXLAN soon be supported? that way we can completely avoid using VRRP over VXLAN and aquire even a better path selection.

Hello MultiBand,

I have played around with my four switch setup and I think I have found a pretty **bleep** well solution. I dont know if the setup I describe is supported or intended to work as that, but that's what I did to actually get a VXLAN EVPN setup with an anycast-Gateway to work:

First, setup vxlan with BGP l2vpn VTEP discovery and IP/MAC distribution. Then configure an interface vlan on every VTEP, assign a unique IP. After that use the command " active-gateway ip <gateway> mac <mac-addr>". The importance here is, to set the IP AND the MAC-address to the same value. If you check "show bgp l2vpn evpn" you see all the gateways you configured popping up. If you first leave out a switch and then ping the IP and do "show arp" you see that only one route via VXLAN is taking precence. Furthermore, I packet-sniffed on my PC doing a ping into that network to a server to see if the traffic gets duplicated - e.g. routed by the switch and vxlan-switched to another gateway - it does NOT.

In my opinion that is what you intended, right? You have a VXLAN-setup that is dynamically expanding anywhere you want and an IPv4 anycast gateway to immediately start routing a packet if it's not destined for the vxlan itself. You can also chose to do a spine/leaf setup where only the spines host the anycast gateway and the leafs do only vxlan switching. That way you have a highly available gateway even if a spine fails. The failover time is then just route-propagation time until the route for the one mac-address goes down.

I am looking at building the same type of solution using VXLAN and had the same question, will VRRP work across the Tunnel.

I also got the same feedback that this type of design is not currently supported (Data Center interconnect).

However I will try out your config.

Thx for the post!!

VRRP packets can traverse over a VXLAN tunnel.
But we do not recommend it as a solution for production networks as it has not been fully validated.

We recommend ERPS at this time for DCI

https://community.arubanetworks.com/t5/Data-Center-Networking-Solutions/AOS-CX-VRRP-ERPS-DCI/ta-p/546916

But, yes the plan is to support VXLAN DCI in future.